SFTP and PGP
When was the article created?
11/05/2021
Who was it created by?
Sam Barber
Who does it apply to?
IT and Randstad Clients
When should the article be used?
When conforming to secure file transfers using PGP encryption
What does the article show you how to do?
Describes how the PGP service works based on a test client scenario called Randstad Test
Example Data flow (there may be subtle differences in each client config)
Prerequisites
Service account = SVC_SFTP (Password in safe store)
Public Server (DMZ) = EUUKPOPFTP001 172.24.146.242 - (Apps Bitvise SSH, MS FTP Service, AWS Security Groups)
Private Server = RUKSVRAPPSFTP01 172.24.148.116 (Apps Syncback Pro, GNUPG, Cleopatra, AWS Security Groups)
Installation PGP
1. Install PGP application from \\recruitdom.co.uk\ssc\apps2\gnupg pgp\ or latest version from website https://gnupg.org/download/ (windows version under binary heading)
2. The required base application is called Kleopatra
Configuration Back End
Each client will have bespoke requirements and should be discovered when the client is being set up for Randstad Services (Site setup etc...), In order to help demonstrate the most common set up please see the guidance below.
Using RandstadTest as an example client.
1. On the Private Server log on as the service account.
2. Create the client folder within D:\sftp\pgp (important to note that bi directional replication happens within D:\SFTP , this will sync data to the Public Server as per the existing SFTP design)
3. Within D:\PGPDecrypted create another folder called the same as in step 2 and then also 3 more folders names as per the picture below. These folders will create the required structure for decryption and moving files.
4. Within D:\PGPconfig create another folder called the same as in step 2. This folder will store important config files.
5. Using the Kleopatra application create a certificate for the client and name it appropriately and select add passphrase (20 characters min). Ensure you backup the whole certificate (option during cert creation) and also export the public part of the certificate (after creation, export option) to the folder created in step 4.
6. Create a txt file called clientnamePW.txt and enter the password in this file.
7. Create a log file called cliantnameLog.txt
8. Finally copy a powershell script from another setup and name it in a similar format. Edit the script to reflect all the parameters required - file paths, log file and most important the file extension (each script is intended for a specific file extension and if the lcient provides multiple extension then multiple scripts will need to be created)
Configuration Front End
Although this part is not necessarily directly related to PGP it is important to understand that the DMZ (Public Server) needs to be configured to allow SFTP file transmissions on the public server. TCS can allow RDP access to the server, but you will need a ukprddmz\"fn.lnadm" account in the first instance and you can only access the public subnet via mgt001 or the Luton network.
1. Bitvise on the public server is used to setup a username, password and root folder for the client.
2. For extra security you must also add the external IP address the client is coming from, this should be added in Bitvise on the server and also added to the AWS security group ssc-sg-uk-prd-dmzftp
3. Then the client uses their username and password with the sftp url sftp.randstad.co.uk to upload files using an application like FileZilla
How it works
1. Randstad shares the public key with the client
2. The client secures the files with the public key (i.e. create a .pgp encrypted file)
3. The client uploads the file to the standard Randstad provided sftp url (sftp.randstad.co.uk) using a username and password which will transfer the file to the Public SFTP server into the file directory as replicated (remember the public and private servers sync)
4. When the sync software (Syncback pro on the internal server a scheduled task found 3 levels down on task scheduler. Uses svc_backup or svc_sftp) syncs the file to the Private server a regular task will activate and run the powershell scripts to move, copy, decrypt and move the file for user access.
5. ***User access has not been defined
Client Guidance
TBC